@urvesh-thakkar

ISO 27001:2022
------------------------------ What’s New?

www.linkedin.com/in/urvesh-thakkar
LIFECYCLE & CHANGE OF NAME

Withdrawn
ISO/IEC 27001:2013
ISO/IEC 27001:2013/Cor 1:2014
ISO/IEC 27001:2013/Cor 2:2015

Published

ISO/EC 27001:2022

ISO/IEC 27001:2013
Information technology - Security techniques
Information security management systems

ISO/IEC 27001:2022
Information security, cyber security & privacy
protection -Information security
management systems
CHANGE IN ABSTRACT & PAGES

Excluding any of the

requirements specified in
Clauses 4 to 10 is not acceptable
when an organisation claims
conformity to this document.
[New 2022]

Total number of pages

ISO/IEC 27001:2013 ISO/IEC 27001:2022

23 19
NEW DB FOR TERMINOLOGIES

ISO/IEC 27001:2013

3 Terms and definitions

For the purposes of this document, the terms
and definitions given in ISO/IEC 27000 apply.

ISO/IEC 27001:2022

3 Terms and definitions

For the purposes of this document, the terms
and definitions given in ISO/IEC 27000 apply.

ISO and IEC maintain terminology databases for

use in standardisation at the following
addresses:
— ISO Online browsing platform: available at
h ttps://www.iso.org/obp
— IEC Electropedia: available at
https://www.electropedia.org
OTHER CHANGES

ISO/IEC 27001:2013
4.2 Understanding the needs and expectations of interested parties
The organisation shall determine:
a) interested parties that are relevant to the information security
management system;
b) the requirements of these interested parties relevant to
information security.

ISO/IEC 27001:2022
4.2 Understanding the needs and expectations of interested parties
The organisation shall determine:
a) interested parties that are relevant to the information security
management system;
b) the requirements of these interested parties relevant to
information security;
c) which of these requirements will be addressed through the
information security management system.

Focus towards
relevant requirements
OTHER CHANGES

ISO/IEC 27001:2013
4.4 Information Security Management System
The organisation shall establish, implement, maintain and
continually improve an information security management
system, in accordance with the requirements of this
International Standard.

ISO/IEC 27001:2022
4.4 Information Security Management System
The organisation shall establish, implement, maintain and
continually improve an information security management
system, including the processes needed and their
interactions, in accordance with the requirements of this
International Standard.

Focus towards
processes
OTHER CHANGES

ISO/IEC 27001:2013
6.2 Information security objectives and planning to achieve them
The organisation shall establish information security objectives at
relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements,
and results from risk assessment and risk treatment;
d) be communicated;
e) be updated as appropriate

ISO/IEC 27001:2022
6.2 Information security objectives and planning to achieve them
The organisation shall establish information security objectives at
relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements,
and results from risk assessment and risk treatment;
d) be monitored;
e) be communicated;
f) be updated as appropriate;
g) be available as documented information

New requirements
OTHER CHANGES

ISO/IEC 27001:2013
6.3 -- DOES NOT EXIST

New objective 6.3

ISO/IEC 27001:2022
6.3 Planning of changes
When the organisation determines the need for changes to the
information security management system, the changes shall be
carried out in a planned manner.

7.4 Communication
The organisation shall determine the need for internal and external
communications relevant to the information security management
system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate.

New requirement
OTHER CHANGES

ISO/IEC 27001:2013
8.1 Operational planning & control
The organisation shall plan, implement, and control processes to
meet information security requirements, execute actions from 6.1,
implement plans for 6.2 objectives, maintain necessary
documented information for confidence in process execution,
control planned changes, review unintended changes'
consequences, and ensure determination and control of
outsourced processes.

ISO/IEC 27001:2022
8.1 Operational planning & control
The organisation shall plan, implement and control the processes
needed to meet requirements, and to implement the actions
determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in
accordance with the criteria.
The organisation shall ensure that externally provided processes,
products or services that are relevant to the information security
management system are controlled.

New requirements
OTHER CHANGES

ISO/IEC 27001:2013
9.1 Monitoring, measurement, analysis and evaluation
The organisation shall retain appropriate documented information
as evidence of the monitoring and measurement results.

ISO/IEC 27001:2022
9.1 Monitoring, measurement, analysis and evaluation
Documented information shall be available as evidence of the
results.
The organisation shall evaluate the information security
performance and the effectiveness of the information security
management system.

New requirements
OTHER CHANGES

ISO/IEC 27001:2013
9.2 Internal Audit
9.3 Management Review

ISO/IEC 27001:2022
9.2 Internal Audit
9.2.1 General
9.2.2 Internal audit programme
9.3 Management Review
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results

c) changes in needs and expectations of interested parties that are

relevant to the information security management system

New structuring for 9.2 and

9.3 & new input for 9.3
OTHER CHANGES

ISO/IEC 27001:2013
10.1 Nonconformity and corrective action
10.2 Continual improvement

Structural
ISO/IEC 27001:2022 improvements
10.1 Continual improvement
10.2 Nonconformity and corrective action

New Annex A. IS Controls

11 NEW CONTROLS

ISO/IEC 27001:2022

5 ORGANISATIONAL CONTROLS
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity

7 PHYSICAL CONTROLS
A.7.4 Physical security monitoring

8 TECHNOLOGICAL CONTROLS
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
EXISTING ISMS? TAKEAWAYS

Refine ISMS Management Review procedure inputs

to align with 2022 requirements.
Enhance ISMS Communication Plan to effectively
disseminate information about the revised standard.
Evaluate and adapt third-party security tools (GRC,
SIEM, VM) to ensure continued compliance with
2022 requirements.
Review and update other policies, standards, and
procedures as applicable.
Realign internal and external audit checklists and
questionnaires to reflect updated controls.
Update Statement of Applicability (SoA) and
maintain parallel spreadsheets for 2013 and 2022
versions at least for the next 2 years.
Align Risk Treatment Plan (RTP) with new control
structure and numbering.
REACH OUT TO ME

urvesh-thakkar

@urvesh_thakkar_